• Eric Biggers's avatar
    KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings · c9f838d1
    Eric Biggers authored
    This fixes CVE-2017-7472.
    
    Running the following program as an unprivileged user exhausts kernel
    memory by leaking thread keyrings:
    
    	#include <keyutils.h>
    
    	int main()
    	{
    		for (;;)
    			keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
    	}
    
    Fix it by only creating a new thread keyring if there wasn't one before.
    To make things more consistent, make install_thread_keyring_to_cred()
    and install_process_keyring_to_cred() both return 0 if the corresponding
    keyring is already present.
    
    Fixes: d84f4f99 ("CRED: Inaugurate COW credentials")
    Cc: stable@vger.kernel.org # 2.6.29+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    c9f838d1
keyctl.c 41.5 KB